Date: 2022-10-20
I'd like a crate for HTTP authentication that has the following goals (described more in http-auth's README):
The existing crates don't seem to match these goals partially well:
www-authenticatewww-authenticate has some unsound transmutes to static lifetime. (These likely aren't hard to fix though.)www-authenticate depends on hyperx and unicase, large dependencies which many useful programs don't include.www-authenticate only supports parsing of challenge lists, not responding to them.digest_authdigest_auth only supports Digest. It can't parse multiple challenges and will fail if given a list that starts with another scheme. Thus, if the server follows the advice of RFC 7235 section 2.1 and lists another scheme such as Basic first, digest_auth's parsing is insufficient.www-authenticate + digest_auth togetherIn addition to the “sound” and “light-weight” www-authenticate caveats above, responding to password challenges by using both www-authenticate and digest_auth is still incomplete and not ergonomic. The caller must do extra work:
Digest and Basic, rather than using the abstract http_auth::PasswordClient that chooses the challenge for you.Digest challenge, construct a matching digest_auth::WwwAuthenticateHeader from the www_authenticate::DigestChallenge.Basic challenge, do the encoding manually.Write the new http-auth crate.